The Freeland File
Global Market Data
Tales from the Trail
Lucy P. Marcus
David Cay Johnston
The Great Debate
Jack & Suzy Welch
Macro & Markets
Personal Finance Video
LinkedIn co-founder Reid Hoffman’s roadmap to your success
The entrepreneur who turned the ultimate networking tool into a $9 billion company has some career advice. Bottom line – you have to become the CEO of yourself to succeed. LinkedIn co-founder and chairman Reid Hoffman sits down with Thomson Reuters Digital Editor Chrystia Freeland to discuss his new book, "The Startup of You." Video
Cash rules at Apple
Apple shareholders meet human rights protest
Tweaking the body's serial killer - T Cells
Tricky prognosis for PlayStation Vita
Twelve killed in protests across Afghanistan
Medical evacuation of women, children from Homs underway: ICRC
Hamas ditches Assad, backs Syrian revolt
Iran has expanded sensitive nuclear work: U.N. agency
Iran's Ahmadinejad, reviled abroad, fades at home
Santorum says Obama agenda not ”based on Bible”
Romney’s struggles fuel talk of brokered convention
Iran stops oil sales to British, French companies
Video shows exact moment of train crash in Argentina
Thu, Feb 23 2012
Jim Rogers: U.S. Presidential favorites clueless on economy
Thu, Feb 23 2012
Mona Lisa double painted simultaneously
Tue, Feb 21 2012
Android bug opens devices to outside control: experts
Telcos squeezed as consumers go mad for mobile Web
Rise in identity fraud tied to smartphone use
Thu, Feb 23 2012
RIM's PlayBook gets email with software upgrade
Tue, Feb 21 2012
Q+A-The complex interplay of social media and privacy
Mon, Feb 20 2012
Apple's iPhone loses China market share
Fri, Feb 17 2012
Analysis & Opinion
Washington Extra – Tax time
Apple needs more than a good lawyer in China
Cyber Crime »
By Jim Finkle
Fri Feb 24, 2012 3:59pm EST
BOSTON (Reuters) - Cybersecurity experts have uncovered a flaw in a component of the operating system of Google Inc's widely used Android smartphone that they say hackers can exploit to gain control of the devices.
Researchers at startup cybersecurity firm CrowdStrike said they have figured out how to use that bug to launch attacks and take control of some Android devices.
CrowdStrike, which will demonstrate its findings next week at a major computer security conference in San Francisco, said an attacker sends an email or text message that appears to be from a trusted source, like the user's phone carrier. The message urges the recipient to click on a link, which if done infects the device.
At that point, the hacker gains complete control of the phone, enabling him or her to eavesdrop on phone calls and monitor the location of the device, said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.
Google spokesman Jay Nancarrow declined comment on Crowdstrike's claim.
Alperovitch said the firm conducted the research to highlight how mobile devices are increasingly vulnerable to a type of attack widely carried out against PCs. In such instances, hackers find previously unknown vulnerabilities in software, then exploit those flaws with malicious software that is delivered via tainted links or attached documents.
He said smartphone users need to prepare for this type of attack, which typically cannot be identified or thwarted by mobile device security software.
"With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices," said Alperovitch, who was vice president of threat research at McAfee Inc before he co-founded CrowdStrike.
Researchers at CrowdStrike were not the first to identify such a threat, though such warnings are less common than reports of malicious applications that make their way to online websites, such as Apple's App Store or the Android Market.
In July 2009, researchers Charlie Miller and Collin Mulliner figured out a way to attack Apple's iPhone by sending malicious code embedded in text messages that was invisible to the phone's user. Apple repaired the bug in the software a few weeks after the pair warned it of the problem.
The method devised by CrowdStrike currently works on devices running Android 2.2, also known as Froyo. That version is installed on about 28 percent of all Android devices, according to a Google survey conducted over two weeks ending February 1.
Alperovitch said he expects to have a second version of the software finished by next week that can attack phones running Android 2.3. That version, widely known as Gingerbread, is installed on another 59 percent of all Android devices, according to Google.
CrowdStrike's method of attack makes use of a previously unpublicized security flaw in a piece of software known as webkit, which is built into the Android operating system's Web browser.
Webkit is also incorporated into other software programs, including Google's Chrome browser and the Apple iOS operating system for the iPhone and iPad.
CrowdStrike said it had not attempted to create software to attack iOS devices or the Chrome browser.
Manufacturers of Android devices include HTC Corp, LG Electronics Inc, Motorola Mobility Holdings Inc and Samsung Electronics Co.
(Reporting By Jim Finkle)
Related Quotes and News
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Be the first to comment on reuters.com.
Add yours using the box above.
Back to top
New York Legal
Support & Contact
Advertise With Us
Connect with Reuters
Our Flagship financial information platform incorporating Reuters Insider
An ultra-low latency infrastructure for electronic trading and data distribution
A connected approach to governance, risk and compliance
Our next generation legal research platform
Our global tax workstation
About Thomson Reuters
Thomson Reuters is the world's largest international multimedia news agency, providing investing news, world news, business news, technology news, headline news, small business news, news alerts, personal finance, stock market, and mutual funds information available on Reuters.com, video, mobile, and interactive television platforms. Thomson Reuters journalists are subject to an Editorial Handbook which requires fair presentation and disclosure of relevant interests.
NYSE and AMEX quotes delayed by at least 20 minutes. Nasdaq delayed by at least 15 minutes. For a complete list of exchanges and delays, please click here.